Windows Analysis Report
67AzzNNioP.exe

Overview

General Information

Sample Name:	67AzzNNioP.exe
Analysis ID:	708239
MD5:	f44d0bd72d14338b655a6d4457419493
SHA1:	dbe1773340912698515f76885f07d6faacbce09c
SHA256:	8f8cb5930100e80159502fd6d224909606f47ff17614f89b41b650afc3a91b6d
Tags:	185-25-204-244ServereasySrlexemorpheus
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Multi AV Scanner detection for dropped file

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Installs a raw input device (often for capturing keystrokes)

Searches for the Microsoft Outlook file path

Allocates memory with a write watch (potentially for evading sandboxes)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

File is packed with WinRar

Detected TCP or UDP traffic on non-standard ports

PE file contains more sections than normal

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: 67AzzNNioP.exe	ReversingLabs: Detection: 27%
Source: 67AzzNNioP.exe	Virustotal: Detection: 22%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\AIO.exe

Virustotal: Detection: 7%

Perma Link

Uses 32bit PE files

Source: 67AzzNNioP.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 67AzzNNioP.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 67AzzNNioP.exe

Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_001EA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_001EA69B
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_001FC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_001FC220
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_0020B348 FindFirstFileExA,	0_2_0020B348

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49702 -> 185.25.204.244:9090

Source: unknown	TCP traffic detected without corresponding DNS query: 185.25.204.244
Source: unknown	TCP traffic detected without corresponding DNS query: 185.25.204.244
Source: unknown	TCP traffic detected without corresponding DNS query: 185.25.204.244

Installs a raw input device (often for capturing keystrokes)

Source: 67AzzNNioP.exe, 00000000.00000003.264138468.000000000C2CE000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: ,M3.2.0,M11.1.0476837158203125: cannot parse <invalid Value>ASCII_Hex_DigitCallWindowProcWCreateHardLinkWCreatePopupMenuCreateWindowExWDefSubclassProcDeviceIoControlDialogBoxParamWDragAcceptFilesDuplicateHandleFailed to find Failed to load FindNextStreamWFlushViewOfFileGdiplusShutdownGetActiveWindowGetAdaptersInfoGetClassInfoExWGetCommandLineWGetEnhMetaFileWGetMenuItemRectGetMonitorInfoWGetProcessTimesGetRawInputDataGetStartupInfoWGetTextMetricsWHanifi_RohingyaImpersonateSelfInsertMenuItemWIsWindowEnabledIsWindowVisibleMonitorFromRectOpenThreadTokenOther_LowercaseOther_UppercasePlayEnhMetaFilePostQuitMessageProcess32FirstWPsalter_PahlaviRegCreateKeyExWRegDeleteValueWSetDCBrushColorShowWindowAsyncSwapMouseButtonUnmapViewOfFile]

Uses 32bit PE files

Source: 67AzzNNioP.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Detected potential crypto function

Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_001E848E	0_2_001E848E
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_001F6CDC	0_2_001F6CDC
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_001F4088	0_2_001F4088
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_001F00B7	0_2_001F00B7
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_001E40FE	0_2_001E40FE
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_001F7153	0_2_001F7153
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_002051C9	0_2_002051C9
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_001F62CA	0_2_001F62CA
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_001E32F7	0_2_001E32F7
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_001F43BF	0_2_001F43BF
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_001EC426	0_2_001EC426
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_0020D440	0_2_0020D440
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_001EF461	0_2_001EF461
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_001F77EF	0_2_001F77EF
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_001E286B	0_2_001E286B
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_0020D8EE	0_2_0020D8EE
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_001EE9B7	0_2_001EE9B7
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_002119F4	0_2_002119F4
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_001F3E0B	0_2_001F3E0B
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_00204F9A	0_2_00204F9A
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_001EEFE2	0_2_001EEFE2

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: String function: 001FEB78 appears 39 times
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: String function: 001FEC50 appears 56 times
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: String function: 001FF5F0 appears 31 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\67AzzNNioP.exe

Code function: 0_2_001FA070 SetWindowLongW,GetWindowLongW,NtdllDefWindowProc_W,

0_2_001FA070

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\67AzzNNioP.exe

Code function: 0_2_001E6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_001E6FAA

Searches for the Microsoft Outlook file path

Source: C:\Users\user\Desktop\67AzzNNioP.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Tries to load missing DLLs

Source: C:\Users\user\Desktop\67AzzNNioP.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Section loaded: dxgidebug.dll	Jump to behavior

PE file contains more sections than normal

Source: AIO.exe.0.dr

Static PE information: Number of sections : 14 > 10

Source: AIO.exe.0.dr	Static PE information: Section: /19 ZLIB complexity 0.9970344753440367
Source: AIO.exe.0.dr	Static PE information: Section: /32 ZLIB complexity 0.9973810369318182
Source: AIO.exe.0.dr	Static PE information: Section: /65 ZLIB complexity 0.9984575565403423

Source: 67AzzNNioP.exe	ReversingLabs: Detection: 27%
Source: 67AzzNNioP.exe	Virustotal: Detection: 22%

Source: C:\Users\user\Desktop\67AzzNNioP.exe

File read: C:\Users\user\Desktop\67AzzNNioP.exe

Jump to behavior

Source: 67AzzNNioP.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\67AzzNNioP.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\67AzzNNioP.exe "C:\Users\user\Desktop\67AzzNNioP.exe"
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Process created: C:\Users\user\Desktop\AIO.exe "C:\Users\user\Desktop\AIO.exe"
Source: C:\Users\user\Desktop\AIO.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Process created: C:\Users\user\Desktop\AIO.exe "C:\Users\user\Desktop\AIO.exe"	Jump to behavior

Source: C:\Users\user\Desktop\67AzzNNioP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\67AzzNNioP.exe

File created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_6961296

Jump to behavior

Source: classification engine

Classification label: mal56.winEXE@4/2@0/1

Source: C:\Users\user\Desktop\67AzzNNioP.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\67AzzNNioP.exe

Code function: 0_2_001E6C74 GetLastError,FormatMessageW,

0_2_001E6C74

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3776:120:WilError_01

Source: C:\Users\user\Desktop\67AzzNNioP.exe

Code function: 0_2_001FA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_001FA6C2

Source: C:\Users\user\Desktop\67AzzNNioP.exe	Command line argument: sfxname	0_2_001FDF1E
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Command line argument: sfxstime	0_2_001FDF1E
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Command line argument: STARTDLG	0_2_001FDF1E
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Command line argument: xz#	0_2_001FDF1E

Source: 67AzzNNioP.exe

Static file information: File size 2543411 > 1048576

Source: 67AzzNNioP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 67AzzNNioP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 67AzzNNioP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 67AzzNNioP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 67AzzNNioP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 67AzzNNioP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 67AzzNNioP.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 67AzzNNioP.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 67AzzNNioP.exe

Source: 67AzzNNioP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 67AzzNNioP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 67AzzNNioP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 67AzzNNioP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 67AzzNNioP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_001FF640 push ecx; ret		0_2_001FF653
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_001FEB78 push eax; ret		0_2_001FEB96

PE file contains sections with non-standard names

Source: 67AzzNNioP.exe	Static PE information: section name: .didat
Source: AIO.exe.0.dr	Static PE information: section name: /4
Source: AIO.exe.0.dr	Static PE information: section name: /19
Source: AIO.exe.0.dr	Static PE information: section name: /32
Source: AIO.exe.0.dr	Static PE information: section name: /46
Source: AIO.exe.0.dr	Static PE information: section name: /65
Source: AIO.exe.0.dr	Static PE information: section name: /78
Source: AIO.exe.0.dr	Static PE information: section name: /90
Source: AIO.exe.0.dr	Static PE information: section name: .symtab

File is packed with WinRar

Source: C:\Users\user\Desktop\67AzzNNioP.exe

File created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_6961296

Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\67AzzNNioP.exe

File created: C:\Users\user\Desktop\AIO.exe

Jump to dropped file

Source: C:\Users\user\Desktop\67AzzNNioP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AIO.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AIO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\67AzzNNioP.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\67AzzNNioP.exe

Memory allocated: 74C0000 memory reserve | memory write watch

Jump to behavior

Source: C:\Users\user\Desktop\67AzzNNioP.exe

Code function: 0_2_001FE6A3 VirtualQuery,GetSystemInfo,

0_2_001FE6A3

Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_001EA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_001EA69B
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_001FC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_001FC220
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_0020B348 FindFirstFileExA,	0_2_0020B348

Source: C:\Users\user\Desktop\67AzzNNioP.exe

API call chain: ExitProcess graph end node

Source: 67AzzNNioP.exe, 00000000.00000002.273055151.0000000002E8D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllHO
Source: 67AzzNNioP.exe, 00000000.00000002.272694925.0000000002E08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 67AzzNNioP.exe, 00000000.00000002.272889878.0000000002E6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: AIO.exe, 00000001.00000002.277458799.0000022F98FBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\67AzzNNioP.exe

Code function: 0_2_001FF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_001FF838

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\67AzzNNioP.exe

Code function: 0_2_0020C030 GetProcessHeap,

0_2_0020C030

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\67AzzNNioP.exe

Code function: 0_2_00207DEE mov eax, dword ptr fs:[00000030h]

0_2_00207DEE

Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_001FF9D5 SetUnhandledExceptionFilter,	0_2_001FF9D5
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_001FF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001FF838
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_001FFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_001FFBCA
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Code function: 0_2_00208EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00208EBD

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\67AzzNNioP.exe

Process created: C:\Users\user\Desktop\AIO.exe "C:\Users\user\Desktop\AIO.exe"

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\67AzzNNioP.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\67AzzNNioP.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\67AzzNNioP.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_001FAF0F

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\67AzzNNioP.exe

Code function: 0_2_001FF654 cpuid

0_2_001FF654

Source: C:\Users\user\Desktop\67AzzNNioP.exe

Code function: 0_2_001FDF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_001FDF1E

Source: C:\Users\user\Desktop\67AzzNNioP.exe

Code function: 0_2_001EB146 GetVersionExW,

0_2_001EB146

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.25.204.244	unknown	Italy		60798	ASSERVEREASYIT	false

ID:	708239
Product:	CloudBasic
Start time:	07:55:46
Start date:	23.09.2022
Sample:	67AzzNNioP.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	f44d0bd72d14338b655a6d4457419493
SHA1:	dbe1773340912698515f76885f07d6faacbce09c
SHA256:	8f8cb5930100e80159502fd6d224909606f47ff17614f89b41b650afc3a91b6d
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\Desktop\AIO.exe	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows	9C1181704C48D62DE14C5F682C4F5D5E	ADA9921624F3225054745643B0D4504939EFD1AA	44EA8AE385D7D95D4F0B9C6969C0D0CA55ACFD996E97236C0AE04EB2B4B2D623
C:\Users\user\Desktop\download.jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 236x213, frames 3	F6E32B18FEB903C735501B2B188B9310	A3F87DC9655C91FA406BFB6346288FB3A0FCCDE7	71DFD33F3C6E255DBAFED40878452AFE3248F86382588F10F85D31A0BC4BB481

Windows Analysis Report
67AzzNNioP.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report 67AzzNNioP.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report
67AzzNNioP.exe